Always Guest User with XHR

@julian I agree with your analysis. I'm on Ghost 3.41.2

@psychobunny - any ideas on things I could try?

So I was able to solve the previously mentioned issue. Ghost.js looks for the title of a post in a SPAN with the id of "nbb-title". For some reason, that span was empty. I used handlebars and .innerHTML to write the title to that span.

However, I'm now back to what appears to be a header issue - but this time it might on the NodeBB side:

2021-01-24T18:44:04.051Z [4567/62671] - warn: [nodebb-plugin-blog-comments] Origin (https://fp.opposite-lock.com) does not match hostUrls: *
2021-01-24T18:44:10.221Z [4567/62671] - warn: [nodebb-plugin-blog-comments] Origin (https://fp.opposite-lock.com) does not match hostUrls: *
Error: You do not have enough privileges for this action.
    at Topics.post (/home/ubuntu/nodebb/src/topics/create.js:86:10)
    at processTicksAndRejections (internal/process/task_queues.js:97:5) undefined

Our nodeBB is hosted at: https://dev.opposite-lock.com
The blog is hosted at: https://fp.opposite-lock.com (this is exactly what is specified in the plugin.

@julian It took a few days to have the admin add it, but here's the robust error:

Error: Please enter a longer title. Titles should contain at least 3 character(s).
at check (/home/ubuntu/nodebb/src/topics/create.js:253:10)
at Object.Topics.checkTitle (/home/ubuntu/nodebb/src/topics/create.js:239:3)
at Topics.post (/home/ubuntu/nodebb/src/topics/create.js:71:10)
at Callbackified (util.js:210:5)
at Object.wrapperCallback [as post] (/home/ubuntu/nodebb/src/promisify.js:46:23)
at /home/ubuntu/nodebb/node_modules/nodebb-plugin-blog-comments/library.js:178:11
at /home/ubuntu/nodebb/node_modules/async/dist/async.js:2955:19
at wrapper (/home/ubuntu/nodebb/node_modules/async/dist/async.js:268:20)
at iterateeCallback (/home/ubuntu/nodebb/node_modules/async/dist/async.js:421:28)
at /home/ubuntu/nodebb/node_modules/async/dist/async.js:321:20 undefined

@julian Thanks! I managed to get it almost working. Now I get a wonderfully generic {"error":"Unable to post topic"}

Thanks @julian - your message prompted me to look at the cookie itself. Chrome DevTools is flagging an issue that I didn't previously see.

This Set-Cookie was blocked because it had the "SameSite=strict" attribute but came form a cross-site response which was not the response to a top-level navigation.

To try to answer you're question, here's what my headers look like. I will freely admit, I'm a little over my head on this! I'm a marketing guy trying to help out his car community

Request:
GET /comments/get/5fe3b20991b86c0039a9800e/0 HTTP/1.1
Host: dev.opposite-lock.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36
Accept: /
Origin: https://nicholasdallain-2.ghost.io
Sec-Fetch-Site: cross-site
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://nicholasdallain-2.ghost.io/a-new-test-post/
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9

Response:
HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Tue, 29 Dec 2020 00:57:44 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 5641
Connection: keep-alive
X-DNS-Prefetch-Control: off
Expect-CT: max-age=0
X-Frame-Options: SAMEORIGIN
X-Download-Options: noopen
X-Content-Type-Options: nosniff
X-Permitted-Cross-Domain-Policies: none
X-XSS-Protection: 0
Referrer-Policy: strict-origin-when-cross-origin
X-Powered-By: Oppositelock
Content-Security-Policy: frame-ancestors 'self'
set-cookie: _csrf=qVrBDseAYi8zRdAqIhsffeBz; Path=/; HttpOnly; Secure; SameSite=Strict
Access-Control-Allow-Origin: https://nicholasdallain-2.ghost.io
Access-Control-Allow-Headers: X-Requested-With, X-HTTP-Method-Override, Content-Type, Accept
Access-Control-Allow-Credentials: true
ETag: W/"1609-C37JNRX5kkSgV4I14TWs+cPivkE"

I am continuing to read documentation and guessing that it has something to do with authentication for the API. Does anyone have an example of authenticating via javascript with cookies?

ReDoc

(docs.nodebb.org)

I'm working on getting commenting set up on a Ghost blog using Nodebb (making use of the nodebb-plugin-blog-comments plugin).

Ghost blog: https://nicholasdallain-2.ghost.io/
NodeBB site: https://dev.opposite-lock.com/

The plugin calls a request via javascript on the Ghost page. Looking at the Chrome Developer Options, I get a different response from the api via Javascript than I do just opening the page in my browser.

Sample request: https://dev.opposite-lock.com/comments/get/5fe3b20991b86c0039a9800e/0

Developer Options (just a relevant chunk):
user: {uid: 0, username: "[[global:guest]]", userslug: "", fullname: "[[global:guest]]", email: "",…}

In Browser Tab:
{"uid":139,"username":"nickhasanexocet","userslug":"nickhasanexocet","email":"nick.all....

Because of this issue, the commenting system won't allow me to publish the ghost blog to nodebb for commenting. Instead I see "Comments are disabled."